Re: Latest OOo Etch update -7etch1 depends on different libneon
[ resend, I just saw even -release and -openoffice were in the mail... ] Hi, Kevin B. McCarty wrote: > I noticed that the latest OpenOffice.org security update in Etch > (version 2.0.4.dfsg.2-7etch1, which fixed DSA 1307) depends on libneon25 > whereas the previous Etch version (2.0.4.dfsg.2-5etch1) depended instead > on libneon26. Are changes in the depended package names, which require > a dist-upgrade, in security updates considered a bug? If so, should I No. Because the change to libneon25 would have been done anywa in etch r1. See -5etch2 in proposed-updates. If you compare to the version which is already approved and accepted for etch1, there's no dependency change.. Actually, -7 was planned to be in etch r1 but as aj doesn't copy it over rom testing.. > bother filing it? No. Normal. Gr��e/Regards, Ren� -- .''`. Ren� Engelhard -- Debian GNU/Linux Developer : :' : http://www.debian.org | http://people.debian.org/~rene/ `. `' [EMAIL PROTECTED] | GnuPG-Key ID: 248AEB73 `- Fingerprint: 41FA F208 28D4 7CA5 19BB 7AD9 F859 90B0 248A EB73 signature.asc Description: Digital signature
[EMAIL PROTECTED]: Re: Latest OOo Etch update -7etch1 depends on different libneon]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *sigh*. too late... Typoed the email address. Forward... - - Forwarded message from Rene Engelhard <[EMAIL PROTECTED]> - Date: Wed, 13 Jun 2007 01:43:30 +0200 From: Rene Engelhard <[EMAIL PROTECTED]> To: "Kevin B. McCarty" <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: Latest OOo Etch update -7etch1 depends on different libneon Organization: The Debian Project User-Agent: Mutt/1.5.13 (2006-08-11) Hi, Kevin B. McCarty wrote: > I noticed that the latest OpenOffice.org security update in Etch > (version 2.0.4.dfsg.2-7etch1, which fixed DSA 1307) depends on libneon25 > whereas the previous Etch version (2.0.4.dfsg.2-5etch1) depended instead > on libneon26. Are changes in the depended package names, which require > a dist-upgrade, in security updates considered a bug? If so, should I No. Because the change to libneon25 would have been done anywa in etch r1. See -5etch2 in proposed-updates. If you compare to the version which is already approved and accepted for etch1, there's no dependency change.. Actually, -7 was planned to be in etch r1 but as aj doesn't copy it over rom testing.. > bother filing it? No. Normal. Gr??e/Regards, Ren? - -- .''`. Ren? Engelhard -- Debian GNU/Linux Developer : :' : http://www.debian.org | http://people.debian.org/~rene/ `. `' [EMAIL PROTECTED] | GnuPG-Key ID: 248AEB73 `- Fingerprint: 41FA F208 28D4 7CA5 19BB 7AD9 F859 90B0 248A EB73 - - End forwarded message - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGbzGu+FmQsCSK63MRAu31AJ9xluP2gQQWxSOZBQG17yJVuL3o3QCfUzcs rW/wtcjyG6MyPmeHNNZ1Vmw= =oPX8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Time to replace MD5?
Bernd Eckenfels wrote: > Because open source is all about choice. So it's there because of a platitude? > There might be admins using dpkg -i > or security officers who build their local mirrors manually. Then why don't we include md5sums and wget commands for all packages in stable point release annoucements? Why not include them in major release announcements too? Or are these things somehow less "all about choice"? -- see shy jo signature.asc Description: Digital signature
Re: Time to replace MD5?
On Wed, Jun 13, 2007 at 12:40:41AM +0200, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > I don't understand why DSAs for etch include md5sums and manual upgrade > > instructions at all. Apt can verify the checksum and gpg signature and > > handle the upgrade after all, and probably more securely than the > > average user following the manual instructions. > > Because open source is all about choice. There might be admins using dpkg -i > or security officers who build their local mirrors manually. There may also be admins who prefer to use ar and run the maintainer scripts by hand, and of course they are free to do so. But, imo, Debian should document a single recommended procedure - and direct execution of dpkg isn't something I'd recommend. -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Time to replace MD5?
In article <[EMAIL PROTECTED]> you wrote: > I don't understand why DSAs for etch include md5sums and manual upgrade > instructions at all. Apt can verify the checksum and gpg signature and > handle the upgrade after all, and probably more securely than the > average user following the manual instructions. Because open source is all about choice. There might be admins using dpkg -i or security officers who build their local mirrors manually. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Latest OOo Etch update -7etch1 depends on different libneon
Hi, I noticed that the latest OpenOffice.org security update in Etch (version 2.0.4.dfsg.2-7etch1, which fixed DSA 1307) depends on libneon25 whereas the previous Etch version (2.0.4.dfsg.2-5etch1) depended instead on libneon26. Are changes in the depended package names, which require a dist-upgrade, in security updates considered a bug? If so, should I bother filing it? (For what it's worth, OOo packages in testing and unstable depend on libneon25.) regards, -- Kevin B. McCarty <[EMAIL PROTECTED]> Physics Department WWW: http://www.princeton.edu/~kmccarty/Princeton University GPG: public key ID 4F83C751 Princeton, NJ 08544 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Time to replace MD5?
Touko Korpela wrote: > Debian Security Advisories currently contain MD5 checksums. As MD5 is no > longer strong enough, maybe it should be replaced by SHA1 or SHA256? I don't understand why DSAs for etch include md5sums and manual upgrade instructions at all. Apt can verify the checksum and gpg signature and handle the upgrade after all, and probably more securely than the average user following the manual instructions. It may have made sense before we had signed Release files, (or perhaps before we had apt :-), but it feels obsolete now. Note that DTSAs already only include apt upgrade instructions. -- see shy jo signature.asc Description: Digital signature
Re: Time to replace MD5?
On Tue, 12 Jun 2007, Touko Korpela wrote: > Debian Security Advisories currently contain MD5 checksums. As MD5 is no > longer strong enough, maybe it should be replaced by SHA1 or SHA256? When combined with size information AND the fact that it needs to be a valid .deb archive, they are probably more than strong enough. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Time to replace MD5?
Debian Security Advisories currently contain MD5 checksums. As MD5 is no longer strong enough, maybe it should be replaced by SHA1 or SHA256? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
